Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Disable Ubuntu dynamic login MOTD #271

Closed
ancoron opened this issue Apr 3, 2020 · 3 comments
Closed

Disable Ubuntu dynamic login MOTD #271

ancoron opened this issue Apr 3, 2020 · 3 comments
Labels
bug

Comments

@ancoron
Copy link
Contributor

ancoron commented Apr 3, 2020

Is your feature request related to a problem? Please describe.

Although I have explicitly set the following, the standard dynamic Ubuntu MOTD is still displayed upon login via SSH:

ssh_print_motd: false
ssh_print_last_log: false
ssh_banner: false
ssh_print_debian_banner: false

Example:

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux <redacted> x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Apr  3 09:09:09 UTC 2020

  System load:  0.08              Processes:           666
  Usage of /:   13.9% of 7.69GB   Users logged in:     1
  Memory usage: 15%               IP address for eth0: <redacted>
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Describe the solution you'd like

The following lines in /etc/pam.d/sshd should be commented out or removed when variable ssh_print_motd is false and the OS is Ubuntu:

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

Describe alternatives you've considered

All MOTD or banner related variables set to false.

Additional context
n/a
@rndmh3ro
Copy link
Member

rndmh3ro commented Apr 4, 2020

Thanks @ancoron, fo raising this issue and thanks to whoever thought it was a good idea to add yet another method for managing motd.
We can do this with the https://docs.ansible.com/ansible/latest/modules/pamd_module.html module. Do you want to take a stab at it?

@rndmh3ro rndmh3ro added the bug label Apr 4, 2020
@ancoron
Copy link
Contributor Author

ancoron commented Apr 9, 2020

I just tested with the pamd module (previously had a simple replace task and the following works for me:

- name: Disable dynamic MOTD
  pamd:
    name: sshd
    type: session
    control: optional
    module_path: pam_motd.so
    state: absent

@rndmh3ro
Copy link
Member

This looks good! Do you want to create a PR to add this? We'd need the when-condition on the task and put it into the hardening.yml

rndmh3ro added a commit that referenced this issue Apr 18, 2020
@rndmh3ro
Merge pull request #273 from ancoron/feature/ubuntu-dynamic-motd-banner
3de3975 
Disable also dynamic MOTD via PAM if enabled - refs #271
@ancoron ancoron closed this as completed May 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ancoron @rndmh3ro